CVE-2026-42043: CVE-2026-42043: Axios NO_PROXY Protection Bypass via RFC 1122 Loopback Subnet

1 / 2

CVE-2026-42043: CVE-2026-42043: Axios NO_PROXY Protection Bypass via RFC 1122 Loopback Subnet

DEV Community·CVE Reports·28 days ago

#CzYbUAxH

#exploit #security #cve #cybersecurity #axios #no_proxy

Reading 0:00

15s threshold

CVE-2026-42043: Axios NO_PROXY Protection Bypass via RFC 1122 Loopback Subnet Vulnerability ID: CVE-2026-42043 CVSS Score: 7.2 Published: 2026-05-05 Axios versions prior to 1.15.1 and 0.31.1 contain a security control bypass vulnerability in the NO_PROXY implementation. The issue originates from an incomplete fix for a previous vulnerability (CVE-2025-62718). By targeting non-standard loopback IP addresses within the 127.0.0.0/8 subnet, an attacker can bypass internal traffic protections and force Axios to route requests through an external proxy. This results in Server-Side Request Forgery (SSRF) and Confused Deputy attacks. TL;DR Axios fails to validate the full 127.0.0.0/8 loopback subnet, allowing attackers to supply non-standard local IPs (e.g., 127.0.0.2) to bypass NO_PROXY rules and maliciously route internal traffic through external proxies.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42043: CVE-2026-42043: Axios NO_PROXY Protection Bypass via RFC 1122 Loopback Subnet